Virginity

**Name of the Vulnerable Software and Affected Versions** HolaCMS version 1.4.9-1 **Description** A directory traversal issue allows remote attackers to overwrite arbitrary files by bypassing the check that ensures files are in the holaDB/votes directory. This is achieved by using a `vote filename` parameter with a sequence of `..` (dot dot) after "holaDB/votes", which enables the traversal. **Recommendations** For HolaCMS version 1.4.9-1, as a temporary workaround, consider restricting access to the `vote filename` parameter in the affected API endpoint until a patch is available. Avoid using the `vote filename` parameter with sequences that could facilitate directory traversal, such as `..`, until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.